This quick start guide will help Accenture Security customers configure Splunk® Enterprise™ for Windows® to send logs to the Log collection Platform (LCP).
The document includes the following topics:
Supported Versions
Port Requirements
Configuring Splunk Enterprise for Windows Events
LCP Configuration Parameters
Sample Logs
Supported Versions
A list of supported versions is available in the Accenture MSS MDR Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found in
Accenture MSS MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
...
Splunk Heavy Forwarder sends indexed events to the LCP using syslog protocol, which uses RFC 5424. Splunk provides the parameters to set the maximum size of an event that can be transmitted over syslog. This functionality has been introduced in version 6.2; therefore, Microsoft Windows via Splunk Enterprise Syslog event collector will not be supporting previous releases over syslog.
You need to configure Splunk Enterprise to send syslog messages to the LCP and also configure it to send only Windows-based logs to the LCP. Splunk indexes data from a number of different products, but Accenture Security MSS MDR monitors only Windows events. So, the configuration should be such as to send only Windows container logs to the LCP. To accomplish this, a syslog output processor is required which is only a part of heavy forwarder (Splunk Enterprise).
The file path given in the configuration steps is same in both Windows and Linux platform. You need to navigate to the Splunk installation root folder to configure the above mentioned file. These files (output.conf, transform.conf, and props.conf) can also be present under a different location, such as …\etc\system\default\..., but for given configuration to work, the file under the “local” folder needs to be changed.
...
Type: Default is udp for Splunk, but MSS MDR recommends TCP.
Priority: 13 is default value for auditing. Collector doesn't support if this field is set to NO_PRI. Refer the URL for reference: http://docs.splunk.com/Documentation/ Splunk/6.2.2/Admin/Outputsconf).
MaxEventSize: MSS recommended value MDR recommended value. All events exceeding this size will be truncated.
...
For example, you may have the existing group name as "Sync1" and the Symantec MSS MDR specified group is "SymantecMSS". So the settings need to be explicit and independent as below.
...
Server: Add LCP IP address and Port number
Type: Default is udp for Splunk, but MSS MDR recommends TCP.
Priority: 13 is default value for auditing. Collector doesn't support if this field is set to NO_PRI. Refer the URL for reference: http://docs.splunk.com/Documentation/ Splunk/6.2.2/Admin/Outputsconf).
MaxEventSize: MSS recommended value MDR recommended value. All events exceeding this size will be truncated.
...
Table 1-2: The Splunk Enterprise for Windows event collector properties to be configured by MSS MDR are shown in the table.
Property | Default Value | Description |
Protocol | TCP | Default protocol for syslog events. |
IP Address | Splunk Enterprise for Windows IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MSS MDR onboarding team. |
Signature | LogName=Security, LogName=Application, LogName=System | MSS MDR recommended signatures processed by the Splunk Enterprise for Windows event collector. |
Port Number | 601 | The default port for syslog. Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol |
...